Ahead of CMMC rollout, Pentagon preps CUI training, tools

The Pentagon is developing training and tools to ensure its program managers know when and how to mark sensitive information that will trigger Cybersecurity Maturity Model Certification (CMMC) requirements.

The Defense Department released proposed CMMC acquisition rules last month after releasing a complementary regulatory proposed rule late last year. DoD could start rolling out CMMC as soon as next year.

Under current defense acquisition rules, contractors that handle controlled unclassified information, or CUI, are required to protect it by following National Institute of Standards and Technology cybersecurity standards. The CMMC program is intended to provide third-party audits to verify whether contractors have implemented the NIST standards.

But DoD officials acknowledge CUI can be a vexing issue for program offices and contractors alike.

The Pentagon plans to do a “phased rollout” of CMMC over three years. During that period, programs will have the discretion to use CMMC requirements. Stacy Bostjanick, chief of industrial base cybersecurity at DoD, said program offices will need to identify their CUI before putting CMMC requirements into solicitations.

“They’ve got to understand how it lays in, how to disaggregate it and pass it down the supply chain, and we’ve got to be prepped and ready to do that,” Bostjanick said during a Sept. 12 event hosted by the Coalition for Government Procurement.

DoD is primarily concerned about U.S. adversaries stealing sensitive data about weapon system design and operations from defense contractors. But the department’s “CUI registry” identifies more than 100 categories of CUI, ranging from technical weapon system data to historic properties and death records.

In a report released last year, the DoD inspector general found the department largely wasn’t tracking whether programs were using CUI markings for emails and other potentially sensitive documents. DoD and contracting officials were also found not to be checking whether personnel completed required CUI training.

Those gaps “can increase the risk of the unauthorized disclosure of CUI or unnecessarily restrict the dissemination of information and create obstacles to authorized information sharing,” the IG wrote in the report.

‘More work to do’

During last week’s event, Bostjanick emphasized the importance of CUI training as the Pentagon rolls out the CMMC requirements.

“There’s training that we’re going to do to make sure that program managers know exactly what is CUI and what needs to be marked,” Bostjanick said. “I would say for companies, if you feel like you are developing information that should be protected, that you state that and let us know. So when we get it, we handle it correctly. And vice versa: if you don’t think that what you’ve got is supposed to be CUI, then you push back and you have the discussion.”

During the same event, Jeff Spinnanger, director of information and acquisition protection within the office of the under secretary of defense for intelligence and security, said his office is working with the DoD chief information officer to build tools for identifying when CUI markings are necessary.

“We have more work to do to fully implement the regulation,” Spinnanger said. “Those are the things that will help to create more consistency of application.”

But the Pentagon has yet to codify any CUI requirements into either of its CMMC rules. Dan Ramish, a procurement attorney with Haynes Boone, said CUI is “the crux of the whole system.”

“There’s no specific either regulatory or contractual requirement for DoD to identify what information that will be provided or generated under the contract is CUI,” Ramish said on the Federal Drive with Tom Temin last week. “And that’s a really fundamental point that should be addressed. It’s addressed in DoD policy and then frequently asked questions, but it should be in the regulations in the contract as well.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.